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REMARKS 

Applicant thanks the Examiner for stating that claims 9-15, 18, 24, 27, and 28 would be 
allowable if rewritten in independent form and/or to overcome objections. 

Claims 1, 5, 14, and 18 have been rejected under 35 U.S.C. § 1 12, second paragraph as 
being indefinite for failing to particularly point out and distinctly claim the subject matter which 
Applicant regards as the invention. Particularly, claims 1, 14, and 18 have been rejected as 
indefinite because the Examiner states the nature of the rate limit is not specified in these claims 
(i.e., what kind of criteria is used as a rate limit). Applicant respectfully asserts that claims 1, 14, 
and 18 are not indefinite, and the Examiner is reminded that the "[b]readth of a claim is not to be 
equated with indefmiteness." MPEP § 2173.04 (quoting in re Miller, 441 F.2d 689, 169 USPQ 
597 (CCPA 1971)). When read with the specification, a rate limit is clearly specified. For 
example, in various places in the specification, Applicant recites: 

The [access control] method seeks to limit the number of access 
requests for the service that a hacker can make whilst moving 
through different control levels as the number of access attempts 
increase over monitored periods of time . . . this involves rate 
limiting the number of requests to the same level at which call 
requests could be made from a telephone. Page 4, 11. 11-16. 

The first control level rate limits access requests so that the service 
is not denied to legitimate users and the telephone network is not 
adversely affected. Page 5, 11. 14-15. 

The following rate limits are continuously imposed by the access 
control server 6 for unverified access requests: 

1 . One concurrent call per machine identification (ID), which 
is the preferred cookie ID rather than a SSL certificate ID. 

2. One concurrent call per A party 1 6, identified by the A 
party number. 

3. X concurrent calls per access system 2, which is the 
number of concurrent calls the system 2 is able to support. 

4. One concurrent A party IVR validation procedure for a 
given IP address or segment. Page 6, 11. 1-9. 

Access requests or call requests that are received that exceed the 
above rate limits are queued by the access system 2. Page 6, 11- 11- 
12. 

Such an access control system and method are used to limit access to and protect a 
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service provision system. When read with the specification, one skilled in the art would readily 
recognize and understand the nature of the rate limit. 

Claim 5 has been rejected as being indefinite because the recitation "said identification 
data is verified by said user" is contrary to the verification procedure described in the 
specification. The Examiner states "the identification data is verified by the access control 
system not by the user." Claim 5 has been amended to clarify its meaning. 

Claim 14 has further been rejected as being indefinite because the need for performing 
other levels of security besides the execution of the first security level is not stated (i.e., reason is 
not given in the claim). Again, the Examiner is reminded that the "[b]readth of a claim is not to 
be equated with indefiniteness." MPEP § 2173.04. Furthermore, in contrast to the Examiner's 
assertion, the reason, or need, for performing other levels of security besides the execution of the 
first security level is recited in the second to last portion of amended claim 14, which recites 
"invoking said control levels sequentially depending on a number of failed attempts to verify 
said user " (emphasis added). 

Claim 14 has also been rejected as mdefinite because the security step "applying an 
access rate limit . . ." and the first security level "invoking a first control level . . ." do not clearly 
specify the nature of the security schemes and could be any one of the other security levels in the 
claim. Amended claim 14 clarifies the first level of security. 

Therefore, Applicant asserts that claims 1, 5, 14, and 18 are now in compliance with 35 
U.S.C. § 1 12, second paragraph, and respectfully requests the Examiner withdraw these 
rejections. 

Claim 14 has also been rejected under 35 U.S.C. § 1 12, first paragraph as based on a 
disclosure that is not enabling. Particularly, claim 14 has been rejected because the use of an 
identification data transmitted between a server and user in order to verify the user by the server 
is essential to the practice of the invention, but not included in the claim. Claim 14 has been 
amended to recite "wherein attempting to verify said user comprises sending unique 
identification data to said user, receiving identification data from said user in response to the sent 
identification data, and verifying the received identification data." Therefore, Applicant 
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respectfully requests reconsideration and withdrawal of the rejection. 

Claims 1-8, 16, 17, 19-23, 25, and 26 are rejected under 102(e) as being anticipated by 
Guthrie et al (U.S. 6,161,185). The Examiner has indicated that claims 9-15, 18, 24, 27, and 28 
would be allowable if rewritten in independent form and/or to overcome objections. 

Claim 1 has been amended to incorporate all of the limitations of previously presented, 
allowable claim 9, including the limitations of any intermediate claims, i.e., previously presented 
claim 2, thereby obviating the basis for the 102(e) rejection. Claims 2-9, 16, 17, 19-22, and 26 
depend from claim 1 and are patentable for the same reasons as claim 1 and by reason of 
additional limitations called for therein. Therefore, claims 1-9, 16, 17, 19-22, and 26 are in 
condition for formal allowance. 

Claim 10 has been rewritten in independent form, including all of the limitations of the 
base claim, i.e., previously presented claim 1, and any intervening claims, i.e., previously 
presented claim 2 and claims 3 and 6. Claims 1 1-13 and 23 depend from claim 10 and are 
patentable for the same reasons as claim 10 and by reason of additional limitations called for 
therein. Therefore, claims 10-13 and 23 are in condition for formal allowance. 

As stated above, amended claim 14 is now in compliance with 35 U.S.C. § 112, first and 
second paragraphs. Therefore, claims 14, 15, 19, and 27 are in condition for formal allowance. 

As stated above, claim 18 is now in compliance with 35 U.S.C. § 1 12, second paragraph. 
Therefore, claims 18, 24, and 28 are in condition for formal allowance. 
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In view of the foregoing, it is respectfully submitted that the claims of record are 
allowable and that the application should be passed to issue. Should the Examiner believe that 
the application is not in a condition for allowance and that a telephone interview would help 
further prosecution of this case, the Examiner is requested to contact Nathan Witzany at the 
telephone number below. 



Respectfully submitted, 



DORSEY & WHITNEY LLP 
Customer Number 75,149 





Nathan J. Witzany S 
Reg. No. 69,948 
Telephone: (612) 492-6862 



4834-6820-8898\2 
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APPENDIX A 



AN ACCESS CONTROL METHOD 



FIELD OF THE INVENTION 
The present invention relates to an access control method and to a system and a 
computer program for executing the method. 

5 BACKGROUND OF THE INVENTION 

One of the perennial problems with providing services over a communications 
network, such as the Internet, is the vulnerability of the system providing the service to 
damage or attack by malicious parties, such as computer hackers. Particularly for service 
provision over the Internet, services, such as information provision and communication 
10 services, may be accessed using scripts or applets which the hackers can attempt to 
replicate in programs to execute excessive access requests for the service. The excessive 
access requests, depending on their nature, can have a variety of effects on the service 
and in some circumstances may cause the service system to collapse. 

BACKGROUND 

15 Detecting a spurious access request or "hack" by a hacker is problematic for any 

service provider and a considerable number of security procedures have been developed 
to try and protect systems from a hack. Hackers however have proven particularly adept 
at being able to circumvent all forms of security procedures and systems which seek to 
deny them access. Given the computing resources and skills which the hacking 

20 community possess, an alternative approach to protecting service provision systems is 
needed. 

SUMMARY 

In accordance with the present invention there is provided an access control 
method performed by an access control system, including: 
25 receiving an access request for a service from a data processing apparatus; 

sending unique identification data to said apparatus in response to said access 
request; and 



applying a rate limit for verifying access to said service, using an access request 
queue, until said identification data is received from a user of said apparatus and verified 
by said access control system. 

The present invention also provides an access control method executed by a 
5 computer system, including: 

applying an access rate limit, using an access request queue, until a user issuing 
access requests is verified by said computer system; 

invoking a first control level involving attempting to verify said user; 
invoking a second control level applying hack program detection tests to said 
1 0 access requests and attempting to verify said user; 

invoking a third control level requiring use of predetermined download software 
for transmitting said access requests and attempting to verify said user; 

invoking a fourth control level blocking access to said service on the basis of at 
least one communications address corresponding to said access requests; and 
15 invoking said control levels sequentially depending on a number of failed 

attempts to verify said user. 

The present invention also provides an access control system having components 
for executing the steps of the method. 

The present invention also provides an access control software stored on a 
20 computer system, having code for executing the steps of the access control method 

The present invention also provides an access control system, including: 
an access control server for receiving access requests for a service from a data 
processing apparatus, using an access request queue, until a user of said apparatus is 
verified, and sending to said data processing apparatus unique identification data; and 
25 an interactive voice response system for contacting an independent 

communications device having an association with said user and said data processing 
apparatus, issuing a request for said identification data, and providing the identification 
data received from said user in response to said request to said access server in order to 
verify said user. 



2 



DESCRIPTION OF DRAWINGS 



A preferred embodiment of the present invention is hereinafter described, by way 
of example only, with reference to the accompanying drawings, wherein: 

Figure 1 is a block diagram of a preferred embodiment of an access control 
5 system connected to a communications network; and 

Figure 2 is a flow chart of an access control method performed by the access 
control system. 

DETAILED DESCRIPTION 
An access control system 2, as shown in Figure 1, is used to limit access to and 

10 protect a service provision system 4. The access control system 2 includes an access 
control server 6 and an interactive voice response system (IVR) 8 which are both 
connected to a communications network 30 and to each other. The service system 4 
includes a network server 10 connected to the access server 6, and an application server 
12 connected to the network server 10 and having access to a database 14. The 

15 application server 12 executes the application to provide a service over the network 30 
using the data contained in the database 14. The application server 12 gains access to the 
network 30 via the network server 10, which may be a web server to handle 
communications with the network using HTTP. The access server 6 is also able to 
communicate with the network 30 using HTTP and other protocols as necessary. The 

20 network 30 includes the Internet and other data and voice delivery networks, such as a 
public switched telephone network (PSTN). Although the servers 6, 10 and 12 and the 
IVR 8 are shown as separate machines, the machines can be integrated into one machine 
or divided into different machines which may be distributed and communicate remotely, 
as will be understood by those skilled in the art. The latter involves distributing the 

25 software components of the servers 6, 10 and 12 and the IVR 8 amongst the different 
machines. 

The preferred embodiment is described below with reference to the provision of a 
service for executing icon calling, where the application server 12 allows parties (an A 
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party) using a data processing apparatus 22 (i.e. a computer) to access directory or 
telephone information concerning another party (the B party) via a web site, and then 
select a call icon on a page of the site to establish a call between the A and B parties. 
This involves the application server 12 instructing the network 30 to place a call to a 
5 telephone 16 of the A party and a telephone 18 or 20 of the B party. Further details 
concerning the system required to support the service is provided in the applicant's 
Australian Patent Application No. 19173/97. It will of course be apparent to a skilled 
addressee that the access control method executed by the system 2 described below can 
be applied to any service delivered over the communications network 30. 

10 The access control method is executed by a computer program stored on the 

access control server 6 which communicates with and uses the standard features of the 
IVR 8, such as those provided with the IVRs produced by Periphonics Corporation or 
Dialogic Corporation. Again, the program could be distributed or its processes executed 
by dedicated hardware, such as application specific integrated circuits (ASICs), as will be 

1 5 understood by those skilled in the art. 

The access control method adopts a different approach to standard security 
methods, in that it is assumed that a hacker using the apparatus 22 will eventually be able 
to penetrate any defenses defenc e s , and therefore allows legitimate users to use the 
system 4 whilst it is under attack. The method seeks to limit the number of access 

20 requests for the service that a hacker can make whilst moving through different control 
levels as the number of access attempts increase over monitored periods of time. For the 
icon calling service this means limiting the number of prank calls to the same as that 
which could be made from a telephone. In other words, this involves rate limiting the 
number of requests to the same level at which call requests could be made from a 

25 telephone. Whilst the access limit is in place, if a user is not verified, the control levels 
will move through a second hack detection level, a third software download level and a 
fourth level where access is completely blocked for the apparatus 22. 

The data processing apparatus 22 does not provide any unique identification (ID) 
when making an access request to the system 4 which can be used by the access control 
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system 2, because an IP address is not unique for a machine 22 which is sharing a proxy 
server with other machines. The method therefore involves creating an ID which is 
stamped on the requesting machine 22. Supplementary information delivery strategies 
currently supported by web browsers are cookie files and Secured Sockets Layer (SSL) 
5 client certificates, but as the availability of client certificates cannot be relied upon, the 
method uses encrypted cookie files, as described below. The A party user or the 
telephone 16 of the requesting A party is verified by executing an IVR based security 
check. The access control server 6 instructs the IVR 8 to place a call to the telephone 16 
designated in the call request, and the answering party is asked to enter or divulge a 
10 unique code which is sent to the machine 22 for display by the access control server 6. 
The IVR 8 then reports back to the server 6 the code provided using the telephone 16. If 
the sent and received security codes correspond the A party is verified. A rate limit is 
therefore applied to a request having an IP address identifying the machine 22 until this 
IVR verification has been successfully completed. 

15 The control levels of the access control method described below apply to 

unverified A party numbers from a given IP address. If m or more IP addresses in a 
segment are operating under a control level (m being an integer greater than or equal to 
2), an entire IP segment, i.e. 256 addresses, is tagged as being in a control level. This 
provides protection from a hacker who is cycling through IP addresses in a segment. 

20 However, it is not until the fourth control level is reached that any IP address or segment 
blocking occurs, as this is potentially serious given that an entire proxy server can be 
blocked. 

The first control level rate limits access requests so that the service is not denied 
to legitimate users and the telephone network is not adversely affected. At this level, the 
25 access method executes the IVR based verification or validation check, which 
additionally ensures that a computer 22 has been configured correctly. 

Figure 2 is a flow chart of an exemplary access control method performed by the 
access control system. When an initial access request is made by the data processing 
apparatus 22 (step 40) , the access control system 6 treats this initial access request as a 
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request to register with the system 4 and enters a registration validation procedure where 
a time-limited encrypted cookie file encoded with a unique identification number is sent 
(step 42) for storage at the machine 22 and can be used to make one call. As stated 
above, a first access control level (step 44) applies a rate limit (step 46) for the apparatus 
22. When the A party is called for the first time, a random unique security code, which in 
this instance can be text based, is sent for display on the computer 22 (step 48) and the 
IVR 8 is instructed by the access control system 6 to provide a prompt for the answering 
party at the telephone 16 to provide the displayed security cod e (step 50) . If the security 
code is entered correctly by the answering part y (step 52) , using DTMF signals generated 
by pressing the buttons on the telephone 16. the data processing apparatus 22 is verified 
(step 54) and the time limit in the encrypted cookie is cancelled and the number of calls 
that can be made is changed to unlimited. The B party is then called on the telephone 18 
or 20. Once the security code is verified the identification number in the cookie is sent 
with access requests (step 56) to the application system 4 for verification (step 58) . 

The following rate limits are continuously imposed by the access control server 6 
for unverified access requests: 

1 . One concurrent call per machine identification (ID), which is the preferred 
cookie ID rather than a SSL certificate ID. 

2. One concurrent call per A party 1 6, identified by the A party number. 

3. X concurrent calls per access system 2, which is the number of concurrent 
calls the system 2 is able to support. 

4. One concurrent A party IVR validation procedure for a given IP address or 



Access requests or call requests that are received that exceed the above rate limits 
(step 60) are queued (step 62) by the access system 2 and a user is presented with their 
position in the queue on a page sent to the web browser of the user's machine 22. The 
queue position display also includes expected time in the queue. A configurable queue 
size limit applies to each requesting IP address to prevent overuse of system resources. 
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The P/R validation check procedure is considered to have failed if an A party call 
is invalidated in that the call enters a ringing state and is abandoned or is connected and 
disconnected without the correct security code being entered into the telephone. This 
may occur if a requesting party at the machine 22 enters an A party number which is not 
5 theirs and a telephone 18 or 20 is rung which is not associated with the machine 22. The 
person who receives this call of course cannot see the displayed security code on the 
screen of the machine 22. Essentially this will be a prank A party call. 

The above procedures of the first security level, in particular the rate limit (no. 5) 
regarding concurrent registration and the time limit in the cookie, essentially eliminate 
10 any prank B party calls and limit the number of prank A party calls to about 2 to 6 per 
minute. The additional protection procedures in the additional control levels below limit 
the number of prank A party calls further so that only a few calls can be made. 

The second access control level (step 64) is entered if an IP address or segment 
fails a predetermined number, say n, IVR verifications or checks within the last 24 hours. 
15 The default for n would be 2. The purpose of this level is to execute additional tests on 
the user to ensure that a person is controlling the machine 22 and generating the access 
requests, as opposed to an automated program or hack. The tests in this level do not 
require the user to download any software to their computer 22. 

The tests which are executed include the following: 
20 1. A security code is again sent by the access control server 6 to the machine 

22 for display and the IVR 8 instructed to call the A party telephone 16 

and prompt for the security code to be entered. In this instance, however, 

the security code is presented in a graphic format, i.e. as a bitmap image. 

This will defeat any automated program which is simply looking for the 
25 code in a text based format, and will require any hacker to adjust the 

hacking program to incorporate optical character recognition which is 

sufficiently accurate to extract the security code. 
2. Script or an applet is sent from the access control system to the machine 

22 which is configured to scan the machine to detect an automatic 
30 continually iterative hacking program which may be making the access 

requests. This could be detected by a hacker. 
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3. The access control system 6 runs a check procedure to determine whether 
the HTTP requests from the machine 22 include data associated with 
normal use of most browsers, such as Netscape NavigatorJ and Microsoft 
Internet ExplorerJ, and which would not normally be returned by a 

5 hacking program. 

4. A time based test is executed also by the access control server 6 to detect 
whether the access requests are made faster than would be possible if the 
machine 22 was under human control. 

Other remote checks for program control can also be executed. 

10 This control level reduces the attack rate further by forcing a hacker to consider 

how to meet the above tests. This will take some time, believed to be at least 24 hours. 

An IP address or segment at this control level will return to the first control level 
within 24 hours if no additional IVR verification failures occu r (steps 66 and 68) . This 
will ensure that IP addresses randomly assigned by an Internet service provider (ISP) are 
1 5 not blocked simply because a hacker has generated a few prank calls. 

The third access control level (step 70) is entered if an IP address or segment fails 
o IVR tests, within 24 hours from the first access request, where o is greater than n. 

In this control level, the access control server 6 sends a prompt to the user's 
machine 22 to download software to the machine 22. When a request for the software is 

20 received, the access control server 6 sends the software which, when stored on the 
machine 22, ensures all future communications between the machine 22 and the systems 
2 and 4 is executed using a secure encrypted communications protocol. This prevents a 
hacker from determining the data passed between the machine 6 and the access control 
server 6 in all future communications. It also allows the downloaded software to 

25 examine the user's machine 22 and send investigative data securely back to the access 
control system 6 to detect if a person or program is controlling the machine 22. Again, a 
hacker, after some time, may be able to break the encrypted communication protocol and 
create a wrapper program which mimics the downloaded software so that the hack can 
continue using the protocol to access the system 4. Again the time needed to break this 

30 control level is assumed to be at least 24 hours ("see steps 66 and 68) . 



A machine 22 at the third control level returns to the first control level status 
within 48 hours from the initial access request if no additional IVR check failures occur. 



This is done, as mentioned previously, to allow release of IP addresses randomly 
assigned by ISPs. 



An IP address or segment will reach the fourth control level (step 72) and remain 
in this state until manually cleared by an operator of the system 2 if the IP address or 
5 segment has failed o+l IVR checks. This level is used to block the IP address or segment 
which is considered to be unverified. All access requests from the IP address or segment 
is refused. The block is made as close as possible to the machine 22, preferably at a 
router level, in the network 30 to reduce the performance impact of a continuous attack. 
Accordingly the attack is reduced further by blocking the IP address or segment as close 
1 0 as possible to where the attack originates, which can block an entire proxy server. 

The access control server 6 executes a reverse Domain Name Server (DNS) 
lookup procedure to determine the manager of the domain associated with the IP address 
or segment and then sends an e-mail message to the manager advising the block has 
occurred. A copy of the e-mail is also sent to inform the operator of the systems 2 and 4. 

15 Many modifications will be apparent to those skilled in the art without departing 

from the scope of the present invention as herein described with reference to the 
accompanying drawing. 
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ABSTRACT 



An access control method executed by a computer system, including applying an 
access rate limit until a user issuing access requests is verified, a first control level 
involving verifying the user, a second control level applying hack program detection tests 
5 to the access requests and verifying the user, a third control level requiring use of 
predetermined download software for transmitting the access requests and verifying the 
user, a fourth control level blocking access to the service on the basis of at least one 
communications address corresponding to the access requests, and invoking the control 
levels sequentially depending on a number of failed attempts to verify the user. 
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